EUVD-2026-31110
GHSA-6mm6-m775-chpm
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.
AnalysisAI
Denial of service in ISC BIND 9 resolvers can be triggered when a SIG(0)-signed DNS message is dropped under recursive-clients pressure, creating a race that leads to a use-after-free on the discarded message buffer. Affects BIND 9.20.0-9.20.22, 9.21.0-9.21.21, and the 9.20.9-S1-9.20.22-S1 subscription branch; no public exploit identified at time of analysis and the issue is not on CISA KEV.
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all BIND 9 deployments and document running versions; Within 7 days: Apply vendor-released patch per ISC BIND advisory for affected versions (9.20.x, 9.21.x, and subscription branches); Within 30 days: Validate patch deployment, review resolver logs for DoS indicators, and perform DNS resolution functional testing.
Sign in for detailed remediation steps.
More from same product – last 7 days
Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today